Spamhaus HBL Milter: Difference between revisions

(Created page with "= A Milter for using Spamhaus HBL with Zimbra Postfix = In this article you will learn how to use Spamhaus Hash Blocklist (HBL) to improve email protection in Zimbra. For a l...")
 
(No difference)

Latest revision as of 07:27, 15 December 2022

A Milter for using Spamhaus HBL with Zimbra Postfix

In this article you will learn how to use Spamhaus Hash Blocklist (HBL) to improve email protection in Zimbra. For a long time administrators of Zimbra have relied on Spamhaus to fight incoming spam by configuring Postfix using traditional blacklists. These traditional blocklists work by blocking IP (ranges) and domains of known spammers.

When an email is sent from free email providers such as Gmail, Hotmail or Protonmail it is not always possible to list the sending IP or domain on a blocklist as this would affect many other legitimate users. By using hashes Spamhaus can list specific, compromised email addresses that are sending spam or otherwise malicious content.

If you prefer you can also use Spamhaus HBL using SpamAssassin, this is documented at https://wiki.zimbra.com/index.php?title=Spamhaus_HBL

Step one get a DQS account

To be able to use Spamhaus HBL you need to register for a DQS account and get a commercial subscription. Spamhaus has a special offer for Zimbra users.

How does the Milter work

Whenever an email passes through Postfix, the Milter will query the Spamhaus HBL using DNS. It will do lookups for the email address in the From and Sender header. In case an email address is listen in HBL the X-Spam-Flag header will be added and set to YES.

Installing the Milter

These instructions have been validated on Ubuntu 20.04. Run as root:

apt install python3-milter supervisor python3-dnspython
mkdir /etc/milter
wget https://raw.githubusercontent.com/Zimbra/spamhaus-hbl-milter/main/spamhaushbl.py -O /etc/milter/spamhaushbl.py
wget https://raw.githubusercontent.com/Zimbra/spamhaus-hbl-milter/main/spamhaushbl.conf -O /etc/supervisor/conf.d/spamhaushbl.conf
chmod +rx /etc/milter/spamhaushbl.py
sed -i -e 's/PUT_DQS_KEY_HERE/aip7yig6sahg6ehsohn5shco3z/g' /etc/milter/spamhaushbl.py #replace aip7yig6sahg6ehsohn5shco3z with your real key
systemctl restart supervisor
tail -f /var/log/spamhaushbl.log

Configuring Zimbra

su - zimbra
# check if you already have Milters:
zmprov gs `zmhostname` zimbraMtaSmtpdMilters
zmprov gs `zmhostname` zimbraMtaNonSmtpdMilters
#if not proceed like so:
zmprov ms `zmhostname` zimbraMtaSmtpdMilters inet:127.0.0.1:8802
zmprov ms `zmhostname` zimbraMtaNonSmtpdMilters inet:127.0.0.1:8802
#if you use Milters already you can daisy chain them like so
#zmprov ms `zmhostname` zimbraMtaSmtpdMilters "inet:existing-ip:port, inet:127.0.0.1:8802"
#zmprov ms `zmhostname` zimbraMtaNonSmtpdMilters "inet:existing-ip:port, inet:127.0.0.1:8802"
zmprov ms `zmhostname` zimbraMilterServerEnabled TRUE
zmmtactl restart

#Check if you already use Milters
postconf smtpd_milters

#Example output: smtpd_milters = inet:127.0.0.1:8802, inet:127.0.0.1:7026

#if you have no milter running at 7026, you can:
postconf -e 'smtpd_milters = inet:127.0.0.1:8802'

Try sending some emails and:

tail -f /var/log/spamhaushbl.log
tail -f /var/log/zimbra.log

You can also run the milter without supervisord, stop supervisord and just run it like python3 /etc/milter/spamhaushbl.py.

Depending on your set-up messages with the X-Spam-Flag set to YES will be delivered in the Spam/Junk folder. If not you can add the following Sieve filter:

if header :contains "X-Spam-Flag" "YES" {
  fileinto "Junk";
  stop;
}

More information on setting up Sieve is at: https://blog.zimbra.com/2022/07/zimbra-skillz-using-sieve-filters-on-zimbra-via-the-admin-console/

Jump to: navigation, search